docs: Verifiable builds and publishing (#592)
This commit is contained in:
parent
af7d246c0c
commit
2a06704c04
|
@ -74,6 +74,14 @@ module.exports = {
|
||||||
"/cli/commands",
|
"/cli/commands",
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
collapsable: false,
|
||||||
|
title: "Source Verification",
|
||||||
|
children: [
|
||||||
|
"/getting-started/verification",
|
||||||
|
"/getting-started/publishing",
|
||||||
|
],
|
||||||
|
},
|
||||||
],
|
],
|
||||||
|
|
||||||
nav: [
|
nav: [
|
||||||
|
|
|
@ -0,0 +1,85 @@
|
||||||
|
# Publishing Source
|
||||||
|
|
||||||
|
The Anchor Program Registry at [anchor.projectserum.com](https://anchor.projectserum.com)
|
||||||
|
hosts a catalog of verified programs on Solana both written with and without Anchor. It is recommended
|
||||||
|
that authors of smart contracts publish their source to promote best
|
||||||
|
practices for security and transparency.
|
||||||
|
|
||||||
|
::: tip note
|
||||||
|
The Anchor Program Registry is currently in alpha testing. For access to publishing
|
||||||
|
please ask on [Discord](https://discord.gg/rg5ZZPmmTm).
|
||||||
|
:::
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
The process for publishing is mostly identical to `crates.io`.
|
||||||
|
|
||||||
|
* Signup for an account [here](https://anchor.projectserum.com/signup).
|
||||||
|
* Confirm your email by clicking the link sent to your address.
|
||||||
|
* Navigate to your Username -> Account Settings on the top navbar.
|
||||||
|
* Click "New Token" in the **API Access** section.
|
||||||
|
* Run `anchor login <token>` at the command line.
|
||||||
|
|
||||||
|
And you're ready to interact with the registry.
|
||||||
|
|
||||||
|
## Configuring a Build
|
||||||
|
|
||||||
|
Whether your program is written in Anchor or not, all source being published must
|
||||||
|
have an `Anchor.toml` to define the build.
|
||||||
|
|
||||||
|
An example `Anchor.toml` config looks as follows,
|
||||||
|
|
||||||
|
```toml
|
||||||
|
anchor_version = "0.13.0"
|
||||||
|
|
||||||
|
[workspace]
|
||||||
|
members = ["programs/multisig"]
|
||||||
|
|
||||||
|
[provider]
|
||||||
|
cluster = "mainnet"
|
||||||
|
wallet = "~/.config/solana/id.json"
|
||||||
|
|
||||||
|
[programs.mainnet]
|
||||||
|
multisig = { address = "A9HAbnCwoD6f2NkZobKFf6buJoN9gUVVvX5PoUnDHS6u", path = "./target/deploy/multisig.so", idl = "./target/idl/multisig.json" }
|
||||||
|
```
|
||||||
|
|
||||||
|
Here there are four sections.
|
||||||
|
|
||||||
|
1. `anchor_version` (optional) - sets the anchor docker image to use. By default, the builder will use the latest version of Anchor.
|
||||||
|
2. `[workspace]` (optional) - sets the paths--relative to the `Anchor.toml`--
|
||||||
|
to all programs in the local
|
||||||
|
workspace, i.e., the path to the `Cargo.toml` manifest associated with each
|
||||||
|
program that can be compiled by the `anchor` CLI. For programs using the
|
||||||
|
standard Anchor workflow, this can be ommitted. For programs not written in Anchor
|
||||||
|
but still want to publish, this should be added.
|
||||||
|
3. `[provider]` - configures the wallet and cluster settings. Here, `mainnet` is used because the registry only supports `mainnet` binary verification at the moment.
|
||||||
|
3. `[programs.mainnet]` - configures each program in the workpace. Here the
|
||||||
|
`address` of the program to verify and the `path` to it's binary build artifact. For Anchor programs with an **IDL**, an `idl = "<path>"` field should also be provided.
|
||||||
|
|
||||||
|
::: tip
|
||||||
|
When defining program in `[programs.mainnet]`, make sure the name provided
|
||||||
|
matches the **lib** name for your program, which is defined
|
||||||
|
by your program's Cargo.toml.
|
||||||
|
:::
|
||||||
|
|
||||||
|
### Examples
|
||||||
|
|
||||||
|
#### Anchor Program
|
||||||
|
|
||||||
|
An example of a toml file for an Anchor program can be found [here](https://anchor.projectserum.com/build/2).
|
||||||
|
|
||||||
|
#### Non Anchor Program
|
||||||
|
|
||||||
|
An example of a toml file for a non-anchor program can be found [here](https://anchor.projectserum.com/build/1).
|
||||||
|
|
||||||
|
## Publishing
|
||||||
|
|
||||||
|
To publish to the Anchor Program Registry, change directories to the `Anchor.toml`
|
||||||
|
defined root and run
|
||||||
|
|
||||||
|
```bash
|
||||||
|
anchor publish <program-name>
|
||||||
|
```
|
||||||
|
|
||||||
|
where `<program-name>` is as defined in `[programs.mainnet]`, i.e., `multisig`
|
||||||
|
in the example above.
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Verifiable Builds
|
||||||
|
|
||||||
|
Building programs with the Solana CLI may embed machine specfic
|
||||||
|
code into the resulting binary. As a result, building the same program
|
||||||
|
on different machines may produce different executables. To get around this
|
||||||
|
problem, one can build inside a docker image with pinned dependencies to produce
|
||||||
|
a verifiable build.
|
||||||
|
|
||||||
|
Anchor makes this easy by providing CLI commands to build take care of
|
||||||
|
docker for you. To get started, first make sure you
|
||||||
|
[install](https://docs.docker.com/get-docker/) docker on your local machine.
|
||||||
|
|
||||||
|
## Building
|
||||||
|
|
||||||
|
To produce a verifiable build, run
|
||||||
|
|
||||||
|
```bash
|
||||||
|
anchor build --verifiable
|
||||||
|
```
|
||||||
|
|
||||||
|
## Verifying
|
||||||
|
|
||||||
|
To verify a build against a program deployed on mainnet, run
|
||||||
|
|
||||||
|
```bash
|
||||||
|
anchor verify <program-id>
|
||||||
|
```
|
||||||
|
|
||||||
|
If the program has an IDL, it will also check the IDL deployed on chain matches.
|
||||||
|
|
||||||
|
## Images
|
||||||
|
|
||||||
|
A docker image for each version of Anchor is published on [Docker Hub](https://hub.docker.com/r/projectserum/build). They are tagged in the form `projectserum/build:<version>`. For example, to get the image for Anchor `v0.13.0` one can run
|
||||||
|
|
||||||
|
```
|
||||||
|
docker pull projectserum/build:v0.13.0
|
||||||
|
```
|
||||||
|
|
||||||
|
## Removing an Image
|
||||||
|
In the event you run a verifiable build from the CLI and exit prematurely,
|
||||||
|
it's possible the docker image may still be building in the background.
|
||||||
|
|
||||||
|
To remove, run
|
||||||
|
|
||||||
|
```
|
||||||
|
docker rm -f anchor-program
|
||||||
|
```
|
||||||
|
|
||||||
|
where `anchor-program` is the name of the image created by default from within
|
||||||
|
the Anchor CLI.
|
Loading…
Reference in New Issue